Packets and Protocols - St. Clair County Community College
Download
Report
Transcript Packets and Protocols - St. Clair County Community College
Packets and Protocols
Chapter One
Introduction
Packets and Protocols
Course title: Introduction to TCP/IP
Course No: CIS
Prerequisite: CIS
Credit Hrs: 4
Text Book: Wireshark and Ethereal -
Syngress
– We cannot troubleshoot networks until we
understand how they work. To know how
protocols work at their most basic level means
that you have a clear understanding of how
protocols and their associated packets work.
With this knowledge you will be able to
troubleshoot a myriad of network problems.
Packets and Protocols
Class
structure - http://cis.sc4.edu/
Start – 6:15
Breaks – 2 –various times
End – NLT 10:00
Contact time – 5:25 – 6:15
Instructor – John Kowalski
– [email protected]
Packets and Protocols
Silly-bus
Course
website
Grading scale
Slides
Course outcomes
White hat agreement
Packets and Protocols
1.
2.
3.
Name
Background/Experiences/Certifications,
etc?
What do you know about the use of
sniffers?
Packets and Protocols
Network
analysis – defined
– The process of capturing network traffic
for the purpose of troubleshooting
network anomalies with various tools
and techniques.
What
is a sniffer ?
– Technically it is a product produced by
NetScout
– It is a tool that converts bits and bytes
into a format that we can understand.
Packets and Protocols
What
is a network analyzer
– Can be anything!
Portable
laptop
Dedicated hardware
Generic PC used for packet captures
What
does an analyzer tool look like?
Packets and Protocols
SUMMARY
DETAIL
DATA
Packets and Protocols
A packet analyzer is composed of
five basic components
1.
2.
3.
4.
5.
Hardware
Driver
Buffer
Real-Time Analysis Tool
Decode
Packets and Protocols
What is a protocol analysis tool used for?
–
–
–
–
–
–
–
–
Converting binary to English
Troubleshooting
Performance analysis
Logging traffic
Establishing benchmarks
Discovering faulty devices
Intrusion detection
Virus detection
Packets and Protocols
The
Good, the Bad and the Ugly
– Like any tool the possibility for misuse
exists
Hackers
can steal info
The “curious” can snoop
Passwords can be captured
Learn what viruses would be most effective
Learn IP addressing schemes for DOS
attacks
Packets and Protocols
Other network analyzers
–
–
–
–
–
–
–
–
–
–
WinDump
Network General Sniffer (now NetScout)
Network Monitor
EthehrPeek
TCP Dump
Snoop
Snort
Dsniff
Ettercap
Etc….
Packets and Protocols
How does a sniffer……sniff?
– All Ethernet enabled devices see all of the
traffic on “the wire”
– Ethernet is not a secure protocol so sniffers
are the perfect tool for troubleshooting
Normal NIC behavior
– Unicasts, bcasts, mcasts
Promiscuous mode
– All-Unicasts, all-bcasts, all-mcasts, all-traffic!
Packets and Protocols
It’s not for me!
End node in
Normal
mode
It’s not for me!
It’s not for me!
I have a packet
here for MAC
Address 103
MAC 100
MAC 101
MAC 102
ROUTER
MAC 103
That’s my
address!
MAC 104
It’s not for me!
Packets and Protocols
It’s not for me!
End node in
Promiscuous
mode
It’s not for me!
It’s not for me!
I have a packet
here for MAC
Address 103
MAC 100
MAC 101
MAC 102
ROUTER
MAC 103
That’s my
address!
MAC 104
It’s not my
address but I’ll
take it!
Packets and Protocols
A
word about MAC addresses
– Media Access Control Addresses:
Are
unique
Can be viewed by ipconfig (windows)
Can be overridden (spoofing)
– DOS attack
– SYN attack
– Smurf Attack
Consist
of an Organization Unique Identifier
– http://standards.ieee.org/regauth/oui/oui.txt
Local Area Networks
Ethernet address types
Addresses are 6 bytes long
Generally written in hexadecimal
Globally unique (unicast)
Aka – Burned-in-address
00.0C.12.34.AB.CD
FF.FF.FF.FF.FF.FF
00.00.01.10.45.G2
- Legal
- Legal
- Illegal
Packets and Protocols
The
OSI Model
– A method of moving data from point to
point using seven distinct steps
The
TCP/IP
– TCP/IP (aka DoD model) is newer and
only contains four layers
Moves
Data
Connects
processes
Provides
Services
Packets and Protocols
7 Application
Allows users to transfer files, send mail, etc.
Only layer that users can communicate with directly
Key features are ease of use and functionality
6 Presentation
Standardized data encoding and decoding
Data compression
Data encryption and decryption
5 Session
Manages user sessions
Reports upper-layer errors
Supports Remote Procedure Call activities
4 Transport
Connection management (e.g., TCP)
Error and flow control
Connectionless, unreliable (e.g., UDP)
3 Network
Internetwork packet routing
Minimizes subnet congestion
Resolves differences between subnets
2 Data Link
Network access control - MAC address
Packet framing
Error and flow control
1 Physical
Moves bits across a physical medium
Interface between network medium and network devices
Defines electrical and mechanical characteristics of LAN
Packets and Protocols
OSI
vs. TCP Model
Packets and Protocols
The Physical Layer
The Physical Layer only transmits bits to,
and receives bits from, the physical
medium. It does not “see” the bits as
organized into meaningful patterns, such
as an address.
The Physical Layer operates depending on
the chosen network topology.
Packets and Protocols
The Physical Layer cont.
A physical address is also referred to as a:
–
–
–
–
Hardware address
Adapter address
Network interface card (NIC) address
Medium Access Control (MAC) address
A physical address is required for network
devices to ultimately deliver information to
a given network node.
Packets and Protocols
The Data Link Layer
We can categorize physical addresses, for the purposes
of networking, into two general types:
– A LAN address is commonly found in an Ethernet or Token Ring
LAN environment.
– WAN addresses in High-Level Data Link Control (HDLC) or
frame relay network protocol addressing
–
Divided into two distinct parts
–
MAC
– The MAC address of the node – interfaces with lower layers
–
LLC
– Tags and identifies protocols - interfaces with upper layers
– Think of it as a universal adapter
Packets and Protocols
The Network Layer
A logical address is generally implemented
as a software entity rather than a
hardware entity.
There are two primary types of logical
addresses, as follows:
– Network addresses, processed at the Network
Layer
– Port or process addresses, processed at the
Transport Layer
Packets and Protocols
The Transport Layer
The Well-Known Port
Numbers Table lists
some of the more
commonly used TCP
and User Datagram
Protocol (UDP)
addresses.
Packets and Protocols
The Transport Layer cont.
The Transport Layer is responsible not only
for application addressing, but also for
providing reliable communications over the
best effort Layer 3 protocols.
The Transport Layer provides:
–
–
–
–
Flow control
Windowing
Data sequencing
Recovery
Packets and Protocols
The Transport Layer cont.
Two protocols most commonly associated
with layer 4
– TCP
High
overhead
Connection oriented
Reliable
– UDP
Low
overhead
Connectionless
Unreliable
Fast
Packets and Protocols
The Session Layer
The
Session Layer:
– establishes, manages, and terminates
sessions between applications.
– provides its services to the Presentation
Layer.
– synchronizes dialog between Presentation
Layer entities and manages their data
exchange.
Packets and Protocols
The Presentation Layer
The
Presentation Layer:
– ensures that information sent by the
Application Layer of one system is
formatted in a manner in which the
destination system’s Application Layer
can read it.
– can translate between multiple data
representation formats, if necessary.
Packets and Protocols
The Application Layer
The Application Layer:
– is the layer closest to the user.
– provides user application services to application
processes outside the OSI model’s scope and
does not support the other layers.
– identifies and establishes the intended
communication partners availability,
synchronizes cooperating applications, and
establishes agreed procedures for application
error recovery and data integrity control.
– determines whether sufficient resources exist for
the intended communications.
Packets and Protocols
Packets and Protocols
Ethernet communication steps
Arbitration—Determines when it is
appropriate to use the physical medium
Addressing—Ensures that the correct
recipient(s) receives and processes the data
that is sent
Error detection—Determines whether the
data made the trip across the physical
medium successfully
Identification of the encapsulated data—
Determines the type of header that follows the
data link header
Packets and Protocols
CSMA/CD
CSMA
1.
Node Listens
2.
Node Sends Data
3.
Node Listens
CD
1.
Collision detected
2.
Nodes “back off”
3.
Node retransmits
Packets and Protocols
Top
four protocols:
– IP
– ICMP
– TCP
– UDP
While
there are certainly more than
four protocols these make up the
bulk of network traffic.
Packets and Protocols
IP
– Connectionless
– Moves data from one layer three
address to another
Several
fields:
– IPID Field
– Protocol
– TTL
– Source IP
– Destination IP
Packets and Protocols
ICMP
– The “tattle tale” protocol
Echo
– Request/reply
Unreachable
– Destination
– Network
– Port
Time
exceeded
– TTL
Packets and Protocols
TCP
– The protocol you can count on
Uses
–
–
–
–
include
Web
E-mail
FTP
SSH
Reliable
– Ack
– Handshake
Sequencing
– Disassembles and reassembles large payloads
Packets and Protocols
UDP
– Quick but unreliable
Guaranteed
there)
fast! (but not guaranteed to get
– Uses
VoIP
DHCP
DNS
Gaming
Packets and Protocols
Repeaters
Repeaters are used to
– Amplify signals and pass them to other
network segments
– Packets are received, amplified and
retransmitted
Repeaters have limited abilities
– Repeaters cannot filter or error check packets
– They are physical level devices with no built in
algorithms
– Function is limited to digital signal
amplification
Packets and Protocols
Hubs
Hubs are multi-port repeaters
–
–
–
–
Multi-port repeaters are also known as Hubs
Connect workstations to the network
Hubs can have multiple port connections an be stacked
Use Twisted-pair cabling
Packets and Protocols
Bridge
A bridge provides for
–
–
–
–
Creation of a single “logical” LAN longer than any one cable
Offers electrical & traffic isolation between cable segments
Keeps local traffic local on the LAN
Forwards only necessary traffic on to the WAN
Bridges are protocol independent
–
–
–
–
Can support any protocol on the LAN
Most common use of a bridge is to filter traffic
Purpose is to separate LAN traffic based on MAC addresses
Supports asynchronous or synchronous WAN connections
Packets and Protocols
LAN Segmentation
Packets and Protocols
Transparent Bridges perform three functions:
1. Learn MAC addresses by examining the source MAC
address of each frame received by the bridge
2. Deciding when to forward a frame or when to filter (not
forward) a frame, based on the destination MAC address
3. Create a loop-free environment with other bridges by using
the Spanning Tree Protocol
• Ethernet bridges are known as TRANSPARENT BRIDGES
because they are invisible – or – transparent to the end devices
Packets and Protocols
•Bridges observe traffic as it passes and record the MAC addresses
•Bridges forward all broadcast and unknown unicast packets
Packets and Protocols
Switch (multi-port bridge)
Used to alleviate network congestion
– Divide networks into virtual LAN (VLAN) segments
– Ability to dedicate more bandwidth
– Function at data link layer of workgroups
– Function at Network layer of network backbones
Switches provide 100 Mbps ports for
user connections
– Ethernet switches have replaced bridges in large
networks
– Can also filter traffic based on MAC address
– Ethernet switches function as a repeater and a bridge
Packets and Protocols
Switches actually make packet analysis more difficult
Packets and Protocols
Router
Layer 3 device
Interconnects networks
A Layer 3 switch is a multi-port router
Packets and Protocols
Routers stop
the flow of
broadcasts
Packets and Protocols
How
many
collision
domains
are
there?
There are six collision domains
Packets and Protocols
Firewalls
– Specialized devices
– Ability to examine packets at virtually
every layer of the OSI model
– Generally placed at the “edge” of the
network
– Offloads “policing” policies from the core
routers
Packets and Protocols
Typical
Switch
Port
Packets and Protocols
Spanned
Switch
Port
Sniffer PC
Packets and Protocols
Spanned
Uplink
Port
Sniffer PC
Internet
Placement of the sniffer is critical
Packets and Protocols
1 Gigabyte
1 Gigabyte
Disparate
Spanned
Ports
1 Gigabyte
100 Megabyte
This will work, but you are bound to loose some data1
Packets and Protocols
Detecting
Sniffers on your network
– Look for DNS reverse lookups
Sniffers
often used reverse lookups
– Send the pump-fake packet
Look
for a RST packet
– Monitor hub ports
Maintain
ports
physical security/disable unused
– Send a fake-arp
Sniffers
respond to non-b-cast arp requests
Packets and Protocols
Wireless
sniffer tools
– Netstumbler
Network
scanner, not really a sniffer
– Kismet
Good
all around open source all free tool
– Wireshark
Sniffer;
does not show SSID/Signal strength
– CommView
Commercial
wireless monitor for WiFi
– And others…(P36)
Packets and Protocols
Commonly
– DHCP
– DNS
– NTP
– HTTP
– SMTP
seen protocols
Packets and Protocols
DHCP
– Used to give clients the necessary information
they need to function on the network
IP
address
Subnet mask
DG
WINS server
DNS server
– Sniff for:
The
last ACK packet to gather the most information
Packets and Protocols
DNS
– Used to determine the IP address of a
hostname and visa-versa
Uses
UDP port 53 – TCP for zone transfers
and packets >512k
Used to remotely look up records in a DNS
database
– Sniff for:
The
DNS response packet
Packets and Protocols
NTP
– Used to reference a time source for
synchronization
Uses
UDP port 123
Uses a server/client model
– Sniff for:
The
NTP response packet with the time and
synchronization packet in it.
Packets and Protocols
HTTP
– Most commonly used protocol
– Payload is text data
Uses
TCP port 80
Uses a server/client model
– Sniff for:
Uses
TCP, make sure the handshake takes
place, then look for data to follow
Packets and Protocols
SMTP
– Used to transfer e-mail from place to
mail server to mail server and mail
server to client
Uses
TCP port 25
Payload is text data
– Non-textual data is converted to text via MIME
Packets and Protocols
Protecting
your network from sniffers
Physical security is
the best method
Lock closets
Disable ports
Be alert for hubs,
WAPs etc
As a last resort, just make sure that whatever
is sniffed is useless to a hacker
Packets and Protocols
How
to ward off the evil doers
– Use SSH – not TELNET
SSH
encrypts it’s payload
– Use SSL – not HTTP
SSL
encrypts HTTP data
– Use IPSec
IPSec
is layer three encryption (tunneling)
– Use VPN
VPN
encrypts data into IP tunnels (layer 2
tunneling)